With new data protection regulations on the way, Enclave Technologies will keep you informed so that you can comply with the impending legislative changes. Data protection is changing – on 25th May, 2018 General Data Protection Regulation (GDPR) will come into force and replace the current data protection framework under the European Union (EU) Data Protection Directive. This means that organisations involved in any kind of data processing must be aware of their obligations under the new regulation.
The GDPR is designed to standardise and strengthen the rights of European citizens to data privacy in a secure and transparent manner. As a data controller, you’re already aware of your legal responsibilities under the Data Protection Act so let’s look at what the coming changes will mean for you and your organisation. The key changes involved are as follows:
- Increased Territorial Scope – this is the biggest change to the regulation of data privacy, applying to all companies that process the personal data of residents in the EU, regardless of the company’s location. Until now territorial applicability of the directive was ambiguous, referring to data processing “in context of an establishment”. This subject has come up in several high-profile court cases. GPDR is very clear on applicability – it will apply to the processing of personal data by data controllers and processors in the EU, whether the processing takes place in the EU or not. It will also apply to the processing of personal data of data subjects in the EU by a controller or processer not established in the EU, where activities related to offering goods or services to EU citizens (whether this involves a payment or not) and the monitoring of behaviour that takes place within the EU. Non-EU organisations which process the data of EU citizens will be required to appoint a representative in the EU.
- Penalties – While there is a tiered approach to fines, organisations that breach GDPR may be fined up to 4% of annual global turnover or €20 million, whichever sum is greater (this is the maximum fine applicable for the most serious infringements such as not having sufficient customer consent to process data or violating the core of Privacy by Design concepts). These rules apply to both processors and controllers which means that “clouds” will not be exempt from GDPR enforcement.
- Consent – the conditions for consent have been enhanced and companies will no longer be able to use lengthy, complex terms and conditions full of legal jargon. The request for consent must be in an easy-to-understand and easily accessible form (using clear, plain language), with the purpose for the data processing attached to that consent. Consent must be clear and easy to distinguish from other matters and the means of withdrawing consent must be as easy as the means of granting it.
The Data Protection Commissioner has listed 12 steps that you can take to make sure you’re ready for the coming changes with a handy infographic:
The Rights of Data Subjects
- Breach Notification – breach notification will be mandatory under GDPR in all member states where a data breach is likely to lead to “a risk for the rights and freedoms of individuals”. Data processors must notify both their customers and the controllers without undue delay. Notification must take place within 72 hours of first becoming aware of a breach.
- Right to Access – the GDPR outlines expanded rights for data subjects, incuding the right to obtain from the data controller confirmation on whether or not personal data relating to them is being processed, where, and for what purpose. The data controller must provide a copy of the personal data (free of charge) in an electronic format. This change is designed to empower data subjects and increase data transparency.
- Right to be Forgotten – this is known as Data Erasure and entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of said data and potentially stop third parties processing the data. Article 17 outlines the conditions for erasure, inlcuding that the data is no longer relevant to original purposes for processing or a data subject withdraws consent. This right requires that controllers compare the subjects’ rights to “the public interest in the availability of data” when considering requests.
- Data Portability – GDPR introduces data portability, the right for a data subject to receive the personal data concerning them, which they have previously provided in a “commonly used and machine readable format” and the right to transmit said data to another controller.
- Privacy by Design – this has existed as a concept for years but is only now becoming a legal requirement with GDPR. Privacy by Design calls for the inclusion of data protection from the onset of the designing of systems, rather than as an addition. The data controller must implement organisational and technical measures to meet the requirements of this Regulation and protect the rights of data subjects. Article 23 requires controllers to hold and process only the data absolutely necessary to complete its duties (data minimisation) and limit access to personal data to those who need it to carry out the processing.
These changes are quite profound and the countdown to change has begun. In order to make sure you comply with the new law when it comes into force, you’ll need to start getting ready for GDPR right now. If you need help with this process, we are recommending an Audit to help you with the process of preparing for GDPR. Contact us to arrange for this Audit.